Email a friend

To

From

Thank you

Sorry

In the world of IT security, 2011 was a great year -- for cyber criminals. One exception would be a certain Russian cyber crime ring pushing spam for meds. But outside of that global aberration, it's been a good year for the villainy of the Internet, in part thanks to end-users and organizations who have once again failed to take basic steps to protect themselves from attacks.

Few companies, if any, were patching in 2011, not even enough so to prevent the most common malware attacks. I've yet to visit a single company that has adequately patched Adobe Reader, Adobe Flash, or Java, all of show up on top 10 lists of the most exploited client-side software, month after month. Whenever people tell me they have high confidence in their great patching, I always check for those three products, and the customer is always -- I repeat, always -- unpatched. I've yet to find a client that had all their Internet-facing routers patched. Never. It's been 20 years.

Luckily for most cyber criminals, end-users still readily use the same password among most of their websites. Attackers were eagerly compromising the weakest websites to swipe credentials for breaking in to into the more secure, more popular websites. That phenomenon has driven some site operators to reset all user passwords. We're all sharing the same pool apparently.

Advanced persistent threats remained a huge problem in 2011. We had documented, coordinated, long-term, successful attacks against much of our critical infrastructure, including government and military targets, nuclear labs, the chemical sector, and energy and water utilities. (I apologize if I left your sector out.)

I don't know a single security expert with hands-on APT experience who doesn't think that every large company in the world is already thoroughly hacked. That's a startling statement, and the best you'll get out of critics is that maybe not all are hacked, just most. I'm not sure I can celebrate that potential silver lining.

In 2011, we started to see how incidences of hacks causing millions of dollars in reputational damage, such as the attacks on RSA and the Sony PlayStation Network. But it doesn't even take that much damage to end your company completely. Multiple digital certification authorities are no more.